Why Doctors Should Care About HIPAA Compliance
Every day I talk with doctors (or others who talk with doctors) and am told that HIPAA compliance is an unnecessary expense, proof that the government is interfering in our lives, not important because no one is going to audit me, a waste of time and money, and more.
Doctor, I am telling you as your patient, that I value the medical care you provide, but I consider the privacy of my health information an important part of my care. I need to trust you with my health and privacy. I expect you to adopt HIPAA compliance the same way you adopted Universal Precautions to protect yourself and your staff, and the steps you are now taking to protect me against Healthcare-associated Infections (HAI.)
Doc, times have changed. Our world has become inconvenient and more expensive because of security. To get on an airplane you have to take off your shoes and you can’t take a bottle of water through airport security, If you want to fly you have to deal with it. Health care is getting inconvenient and more expensive because of electronic medical records and HIPAA compliance. If you want to treat patients you have to deal with it.
Universal Precautions and HAI controls have required you and your staff to change habits, spend dollars, and become accountable to each other and to regulators. These were always the right things to do but it took government regulations to get many practices and hospitals to adopt them. In fact, HAI’s went from being a bonus for hospitals (come in for a broken leg, stay extra billable days for the staph infection you got in the hospital) to a cost for hospitals, and a statistic made public by the government. Now hospitals are scrambling to prevent infections. Good for me. I am thankful for the new regulations.
“I’ll never get caught.”
HIPAA compliance was not enforced for many years, but it is now. The regulators hired a former federal prosecutor to enforce HIPAA, and more enforcement has taken place in the last 3 years than the previous 7 years. A small practice paid $ 100,000 for sending patient information through a free webmail account. A small hospice paid $ 50,000 for losing a laptop. A health plan was just fined $ 1.2 million for leaving patient data on the hard drive buried in a copier it returned at the end of its lease.
Your chances of a HIPAA audit are slim, but if you are applying for Meaningful Use money your chance of an audit is much greater. HIPAA compliance is a basic Meaningful Use requirement tied to the protection of health information. And, you are always subject to a HIPAA compliance investigation into a complaint filed by a patient, employee, or someone just looking to get you.
Health Safety and Information Privacy
I am glad you don’t you share the needle you stuck in me with another patient. I am glad you put on gloves before treating me. So why are you using old computers without security to access my medical records? You need new ones with secure business class operating systems to protect my information.
Why are you having my call for help relayed by an unsecure text message? HIPAA compliance forbids using unsecure text messaging from cell providers that will not sign a Business Associate Agreement or comply with HIPAA. Use a secure texting solution or take the call from your answering service. (By the way, make sure your answering service commits to HIPAA compliance because you are at risk if they breach my privacy.)
Why do you allow my private information to be sent to you by e-mail, and relayed to your unsecure phone? HIPAA compliance requires that your phone be secured and wiped if lost.
Why does your office use G-mail (or another free webmail service,) whose terms of use include your agreement that Google can read your mail, and Google won’t sign a Business Associate Agreement committing to keeping my info private? Yes, Gmail is FREE, but HIPAA compliance requires a secure e-mail system from a vendor that will sign a Business Associate Agreement, and Google won’t. Ditch them now.
Doc, IT Security and HIPAA compliance are complicated. Since you have no problem referring me to a medical specialist, maybe you should consult a professional IT specialist certified in HIPAA? Just a thought…
Doc, you took an oath to do no harm to me. That includes protecting my privacy through HIPAA compliance.
Thanks for listening. I hope I don’t have to see you today.